ISMS policy and ISMS framework ( global document)
Assign topic to the user
1 - Can you please explain the contents that are needed to be included in these documents???
Answer: To be compliant with ISO 27001, an ISMS policy must define the purpose, direction, principles and basic rules for information security management.
To see an example of the content of an ISO 27001 ISMS policy I suggest you to take a look at the free demo of our Information Security Policy at this link: https://advisera.com/27001academy/documentation/information-security-policy/
For more information about ISMS policy, I also suggest you these materials:
- What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/
- Information security policy – how detailed should it be? https://advisera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/
ISMS Framework usually stands for set of policies and procedures that need to be written to manage security in your company - for examples, see our ISO 27001 Documentation Toolkit: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
2 - Are ISMS objectives defined first or RA/RT is performed first??
Answer: The top-level information security objectives are defined before the RA/RT, because they need to reflect the external and internal issues that are relevant and can prevent the ISMS to achieve the expected results.
3 - Can organisations have ISMS policy defined before setting ISMS objectives? Because ISMS objectives are included in Policy, I believe policy is defined post objectives and these objectives are defined post RA/RT…
Answer: You can define information security objectives before or after you publish your top-level ISMS policy - both approaches are allowed since the objectives can be documented in a separate document.
Comment as guest or Sign in
Aug 30, 2017